diff options
author | Bogdan Gusiev <agresso@gmail.com> | 2011-07-28 11:56:08 +0300 |
---|---|---|
committer | Xavier Noria <fxn@hashref.com> | 2011-08-13 16:22:26 -0700 |
commit | f86f7702507f477eb8f0a8e914bdb53219fac953 (patch) | |
tree | 47fb43aa64e25c8deb6768a5eb146c45f2db145f /activemodel/test/cases | |
parent | 5f3265c4714efd697cb71015489a9c59d1129440 (diff) | |
download | rails-f86f7702507f477eb8f0a8e914bdb53219fac953.tar.gz rails-f86f7702507f477eb8f0a8e914bdb53219fac953.tar.bz2 rails-f86f7702507f477eb8f0a8e914bdb53219fac953.zip |
MassAssignmentProtection: consider 'id' insensetive in StrictSanitizer
In order to use StrictSanitizer in test mode
Consider :id as not sensetive attribute that can be filtered from
mass assignement without exception.
Diffstat (limited to 'activemodel/test/cases')
-rw-r--r-- | activemodel/test/cases/mass_assignment_security/sanitizer_test.rb | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/activemodel/test/cases/mass_assignment_security/sanitizer_test.rb b/activemodel/test/cases/mass_assignment_security/sanitizer_test.rb index 62a6ec9c9b..676937b5e1 100644 --- a/activemodel/test/cases/mass_assignment_security/sanitizer_test.rb +++ b/activemodel/test/cases/mass_assignment_security/sanitizer_test.rb @@ -7,7 +7,7 @@ class SanitizerTest < ActiveModel::TestCase class Authorizer < ActiveModel::MassAssignmentSecurity::PermissionSet def deny?(key) - key.in?(['admin']) + ['admin', 'id'].include?(key) end end @@ -40,4 +40,12 @@ class SanitizerTest < ActiveModel::TestCase end end + test "mass assignment insensitive attributes" do + original_attributes = {'id' => 1, 'first_name' => 'allowed'} + + assert_nothing_raised do + @strict_sanitizer.sanitize(original_attributes, @authorizer) + end + end + end |